Researchers Bypassed Windows Password Locks With Cortana Voice Commands (vice.com) 90
Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.
Physical access (Score:5, Informative)
Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.
Re: (Score:2, Funny)
The manufacturers have already done that!
Re: (Score:2)
swap their Surface Book with an identical looking one that you have modified. They might be surprised the next time they turn it on that they have to log in again to sync their cloud data, but this is the perfect time to hijack their passwords and accounts.
Re: (Score:2)
o man, this one never fails. works on iphones too
Re: (Score:1)
Hey, lets see you put whatever devices you want inside a machine with bitlocker enabled ! Oh wait, that's right, it will lock itself down and say the hardware changed. On the other hand, this exploit of Cortana will allow you to bypass bitlocker and defeat the security....
Re: Physical access (Score:2)
Re: (Score:2)
Monster_user can Harry Potter the USB NA into the port. No physical contact necessary. That is why he is a monster!
Re: Physical access (Score:3)
The USB allowed a direct Man in the Middle attack, which is why it doesn't work for HTTPS sites. A highly coordinated effort does not require physical access to the machine itself, on a weak link in key infrastructure and audible proximity to the device in question.
The USB adapter serves the same purpose as a poisoned DNS cache or routing table.
The USB device did not install software, Cortana did, as she was in
Re: (Score:1)
If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC. You're in. This works on Workgroup and Domain PCs, Servers, etc. Not sure what username to use? Try administrator...
As for the subject of the original article: way to go MS... EPIC fail. Can't say I'm surprised though.
Re: Physical access (Score:2)
If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC.
Doesn't work if the device is encrypted. Doesn't work if BIOS doesn't allow booting from USB. Probably won't work on most modern devices which have secure boot enabled by default.
(Don't quote me on the last one)
Re: Physical access (Score:2)
Good since you are pretty much incorrect. Secure boot just require secure boot enable boot device and os like windows pe or a number of linux distros for example
Yeah, I tried that. Couldn't get the Linux iso to boot until I finally went into the windows settings and told it to allow it. And yes, the iso was secure boot enabled.
But I definitely don't have a comprehensive understanding of how secure boot is supposed to work, which is why I added that disclaimer.
Re: (Score:2)
This one has the advantage of not requiring a reboot, which means you can plug the USB in, do the voice commands, remove the USB, and the owner that returns from the bathroom a moment later will be none the wiser - the screen comes back up right on the Facebook post they were reading before.
Re: (Score:2)
unscrew the laptop and put whatever devices you want inside
What's a screw? Mine is held together by glue and I couldn't get in myself even if I wanted to.
Re: (Score:2)
Heat guns work on pretty much every adhesive, including solder.
Re: Physical access (Score:2)
Heat guns work on pretty much every adhesive, including solder.
The good news is, I got the cover off. The bad news is, there's a bunch of little chippy things rattling around.
Re: (Score:2)
Heat guns work on pretty much every adhesive, including solder.
I take it you haven't looked at the iFixit scores for some tablets. In many cases it's pretty much impossible to get into some devices without destroying the screen in the process.
Re: (Score:2)
Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.
Re: (Score:2)
Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.
Yeah indeed, let's complain about the people who open devices for a living don't have the right equipment and then draw parallels to some field based quick espionage.
Re: (Score:3)
"Yeah indeed, let's complain about the people who open devices for a living"
No, they make videos for a living. I open devices for a living, far more than they have ever done. Hundreds of thousands in repair depots around the country.
Re: (Score:2)
(get a real spudger, guys)
But from where?
https://www.ifixit.com/Search?... [ifixit.com]
Re: (Score:2)
Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.
Physical access is irrelevant in this case. From TFA:
"allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use httpsâ"that is, a web address that does not encrypt traffic between a user's machine and the website."
In other words it is not necessary to install a BIW device. Any bad actor could intercept traffic at any point along the path or one could operate th
Re: Physical access (Score:2)
Re: (Score:2)
Novel Idea (Score:2)
or perhaps best suited for a movie...
but I somehow would like to see someone remotely hack an Alexa to utter voice commands to Cortana, to bypass Windows security and gain access to "sensitive files"...
Who knows maybe they will get into an argument, or have built in hard-coding to give each other the silent treatment.
As far as the movie option, it'll probably never happen as the producers would probably get sued into oblivion by the tag team of Amazon and Microsoft...
Re: (Score:2)
Nah, the script will have Cortexa talking to Alana. No trademarks infringed.
Nope (Score:3)
Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.
Re: (Score:2)
Re: (Score:2)
limiting exposure is never a logic fail. what are the chances that the other software vendors don't have a zero day exploit on code written by monkeys.
you have to do a cost analysis.
Re: (Score:2)
Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.
How do you know it isn't via Siri that the security firms get into Apple devices?
Re: (Score:2)
Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.
Or have it not respond to vocal commands without a password, preferably one locked to a voice print and not just specific words, when locked down. However, given that I doubt anybody making these products will institute such a basic level of security until it's established that they cannot shift responsibility for security to a user when they either did not have the ability to secure it available, or what ought to be a basic security option only offered via a series of hidden super-sekret commands with few
Re:Nope, Not enough (Score:2)
If you have proprietary or sensitive info, it ought to be only on a non-connected PC/Mac, whatever.
There are too many bugs in Windows. I don't care what promises Microsoft and Satya have to say.
History repeats (Score:5, Interesting)
In the past, you could hack into old windows machines by pressing F1 at password prompt. If the help file was missing, it would ask you to browse and find it, which would allow you to right click on executables and run them. Nice to see that some things never change.
Re: (Score:2)
I used the old method of swapping in command.exe as sethc.exe from some bootable medium, and then booting back to windows. Ta-da! Ownage of the administrator account.
Re:History repeats (Score:5, Interesting)
You didn't even need a missing help file. If you could open the help bubble you could right click and click print. Then from the print dialogue you could open a proper windows help screen. From there if you opened the index search and opened a different help topic you'd get a full windows help screen with menubar. Then just click file, open, navigate to the windows folder, right click on explorer.exe and run it.
Easily fixed (Score:2, Informative)
Re: (Score:2)
You're putting a lot of trust in Grandma and Grandpa knowing how to dig into Cortana's config and enable it.
Not everyone has a family member that can/will help protect them from themselves.
Re: (Score:2)
Re: Easily fixed (Score:2)
Re: Easily fixed (Score:2)
Re: (Score:2)
But saying that Bob or Jane cannot be expected to have more knowledge than Grandma and Grandpa is a departure from the path.
"Hey, this is fixable by doing X"
"Retired old farts can never be taught to do X"
"What do retired old farts have that somebody would physically break into their house to mess with their computer"
"What about government employee's with Top Secret clearance?"
Okay, I give up. sgrover is correct. As long as we hand out Top Secret clearances to people as unreliable as Hillary Clinton, we can
Physical access (Score:4, Informative)
Re: (Score:2)
Re: (Score:1)
Why a machine that is "in sleep and locked" does open a browser following user input? This means it's not so locked. And there's the user session still running so that may be a more interesting target than an encrypted turned off PC.
Marketing over security (Score:5, Insightful)
Wow, what a fail by Microsoft. It should be beyond obvious to anyone with a pulse that not providing a way to completely disable Cortana opens computers up to an entire Pandora's box of security vulnerabilities.
It's totally obvious Microsoft is just jamming this down everyone's throat, especially business users, because they know they can get big (and mostly bullshit) "adoption" numbers and operational data for Cortana.
Of course the larger problem is nobody wants Microsoft's bullshit attempts to re-invent themselves as Google, Amazon/Alexa or Apple/Siri. So they will cram it down everyone's throats and get some minor level of usage just because it's there even though it aggravates most everyone else.
Just disable it (Score:2)
hardware limitations (Score:2)
Re: (Score:2)
They can do, yes. The article links to a piece about a so-called dolphin attack [techcrunch.com], that gets voice assistants to respond to ultrasonic signals.
What does the network adapter have to do with it? (Score:2, Interesting)
I don't get it. The attack as described involves plugging in a compromised network adapter so that you can tell Cortana to go to an insecure website, and instead direct the machine to a different site that serves malware. Why not skip the network adapter, and just tell Cortana to go straight to a malware site instead?
Re: (Score:2)
I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?
If the weakness is Cortana always listening and able to be directed to a non-SSL web site why not attack the Wi-Fi access point or the modem/router?
Re: (Score:2)
Because this is /. and I didn't read TFA, here's the answer to my own question:
That's just fucking stupid.
In a related tactic ... (Score:2)
... hackers do a home invasion and make the user type in stuff.
I thought that Cortana was useless (Score:2)
Checklist (Score:1)
that lockscreen tho (Score:1)
insecure by design levels up (Score:2)
People used to say "a woman's work is never done". At least this story conveys a hint of gender parity.